Integration with Open Single Management Platform

You can configure integration with selected Open Single Management Platform servers for one, several, or all KUMA tenants. If Open Single Management Platform integration is enabled, you can import information about the assets protected by this application, manage assets using tasks, and import events from the Open Single Management Platform event database.

First, you need to make sure that the relevant Open Single Management Platform server allows an incoming connection for the server hosting KUMA.

Configuring KUMA integration with Open Single Management Platform includes the following steps:

1. Creating a user account in the Open Single Management Platform Administration Console

   The credentials of this account are used when creating a secret to establish a connection with Open Single Management Platform. Different tasks may require different access rights.

   For more details about creating a user account and assigning permissions to a user, please refer to the Open Single Management Platform Help Guide.

2. Creating a secret of the credentials type for connecting to Open Single Management Platform
3. Configuring Open Single Management Platform integration settings
4. Creating a connection to the Open Single Management Platform server for importing information about assets

   If you want to import information about assets registered on Open Single Management Platform servers into KUMA, you need to create a separate connection to each Open Single Management Platform server for each selected tenant.

   If integration is disabled for the tenant or there is no connection to Open Single Management Platform, an error is displayed in the KUMA Console when attempting to import information about assets. In this case, the import process does not start.

Configuring Open Single Management Platform integration settings

To configure the settings for integration with Open Single Management Platform:

1. Open the web interface of Kaspersky Unified Monitoring and Analysis Platform and select the Settings → Open Single Management Platform section.

   The Open Single Management Platform integration by tenant window opens.

2. Select the tenant for which you want to configure integration with Open Single Management Platform.

   The Open Single Management Platform integration window opens.

3. Enable or disable integration with Open Single Management Platform for the tenant:
   • If you want to enable integration, clear the Disabled check box.
   • If you want to disable integration, select the Disabled check box.

   This check box is cleared by default.

4. Specify intervals for automatic import of asset information and asset vulnerability information from Open Single Management Platform:
   1. In the KSC assets, hardware information field, enter the interval in hours for the automatic import of information about the basic attributes of assets (protection status, anti-virus database version, hardware). and must be an integer. The default setting is 1 (1 hour).
   2. In the KSC assets attributes (vulnerabilities, software, owners) field, enter the interval in hours for automatic import of information about other attributes of assets (vulnerabilities, software, owners). and must be an integer. The default setting is 12 (12 hours).

      Importing the information about asset attributes (vulnerabilities, software, owners) may involve downloading a large amount of data, which may take a longer time to complete, we recommend setting a longer interval than for the hardware information import.

   If necessary, you can manually import asset information and asset vulnerability information from Open Single Management Platform.

5. Click the Save button.

The Open Single Management Platform integration settings for the selected tenant will be configured.

If the tenant you need is missing from the list of tenants, you need to add the tenant to the list of tenants.

Adding a tenant to the list for Open Single Management Platform integration

To add a tenant to the list of tenants for integration with Open Single Management Platform:

1. Open the KUMA web console and select Settings → Open Single Management Platform.

   The Open Single Management Platform integration by tenant appears.

2. Click the Add tenant button.

   The Open Single Management Platform integration window appears.

3. In the Tenant drop-down list, select the tenant that you need to add.
4. Click the Save button.

The selected tenant will be added to the list of tenants for integration with Open Single Management Platform.

Creating Open Single Management Platform connection

To create a new Open Single Management Platform connection:

1. Open the web interface of Kaspersky Unified Monitoring and Analysis Platform and select the Settings → Open Single Management Platform section.

   The Open Single Management Platform integration by tenant window opens.

2. Select the tenant for which you want to create a connection to Open Single Management Platform.
3. Click the Add connection button and define the values for the following settings:
   • Name (required)—the name of the connection. The name can contain 1 to 128 Unicode characters.
   • URL (required)—the URL of the Open Single Management Platform server in hostname:port or IPv4:port format.
   • In the Secret drop-down list, select the secret with the Open Single Management Platform account credentials or create a new secret.
     1. Click the button.

        The secret window is displayed.

     2. Enter information about the secret:
        1. In the Name field, choose a name for the added secret.
        2. In the Tenant drop-down list, select the tenant that will own the Open Single Management Platform account credentials.
        3. In the Type drop-down list, select credentials.
        4. In the User and Password fields, enter credentials for your Open Single Management Platform server.
        5. If you want, enter a Description of the secret.
     3. Click Save.

     You can change the selected secret by clicking .

   • Disabled—the state of the connection to the selected Open Single Management Platform server. If the check box is selected, the connection to the selected server is inactive. If this is the case, you cannot use this connection to connect to the Open Single Management Platform server.

     This check box is cleared by default.

4. If you want Kaspersky Unified Monitoring and Analysis Platform to import only assets that are connected to secondary servers or included in groups:
   1. Click the Load hierarchy button.
   2. Select the check boxes next to the names of the secondary servers and groups from which you want to import asset information.
   3. If you want to import assets only from new groups, select the Import assets from new groups check box.

   If no check boxes are selected, information about all assets of the selected Open Single Management Platform server is uploaded during the import.

5. Click the Save button.

The connection to the Open Single Management Platform server is now created. You can use it to import asset information from Open Single Management Platform to Kaspersky Unified Monitoring and Analysis Platform or to create tasks related to assets in Open Single Management Platform from Kaspersky Unified Monitoring and Analysis Platform.

Editing Open Single Management Platform connection

To edit a Open Single Management Platform connection:

1. Open the web interface of Kaspersky Unified Monitoring and Analysis Platform and select the Settings → Open Single Management Platform section.

   The Open Single Management Platform integration by tenant window opens.

2. Select the tenant for which you want to configure integration with Open Single Management Platform.

   The Open Single Management Platform integration window opens.

3. Click the Open Single Management Platform connection you want to change.

   The window with the selected Open Single Management Platform connection parameters opens.

4. Make the necessary changes to the settings.
5. Click the Save button.

The Open Single Management Platform connection will be changed.

Deleting Open Single Management Platform connection

To delete a Open Single Management Platform connection:

1. Open the web interface of Kaspersky Unified Monitoring and Analysis Platform and select the Settings → Open Single Management Platform section.

   The Open Single Management Platform integration by tenant window opens.

2. Select the tenant for which you want to configure integration with Open Single Management Platform.

   The Open Single Management Platform integration window opens.

3. Select the Open Single Management Platform connection that you want to delete.
4. Click the Delete button.

The Open Single Management Platform connection will be deleted.

Importing events from the Open Single Management Platform database

In KUMA, you can receive events from the Open Single Management Platform SQL database. Events are received using the collector, which uses the following resources:

• Predefined [OOTB] KSC MSSQL, [OOTB] KSC MySQL, or [OOTB] KSC PostgreSQL connector.
• Predefined [OOTB] KSC from SQL normalizer.

Configuring the import of events from Open Single Management Platform proceeds in stages:

1. Create a copy of the predefined connector.

   The settings of the predefined connector are not editable, therefore, to configure the connection to the database server, you must create a copy of the predefined connector.

2. Creating a collector:
   • In the web interface.
   • On the server.

To configure the import of events from Open Single Management Platform:

1. Create a copy of the predefined connector corresponding to the type of database used by Open Single Management Platform:
   1. In the KUMA Console, in the Resources → Connectors section, find the relevant predefined connector in the folder hierarchy, select the check box next to that connector, and click Duplicate.
   2. This opens the Create connector window; in that window, on the Basic settings tab, in the Default query field, if necessary, replace the KAV database name with the name of the Open Single Management Platform database you are using.

      An example of a query to the Open Single Management Platform SQL database

      SELECT ev.event_id AS externalId, ev.severity AS severity, ev.task_display_name AS taskDisplayName,

              ev.product_name AS product_name, ev.product_version AS product_version,

               ev.event_type As deviceEventClassId, ev.event_type_display_name As event_subcode, ev.descr As msg,

      CASE

              WHEN ev.rise_time is not NULL THEN DATEADD(hour,DATEDIFF(hour,GETUTCDATE(),GETDATE()),ev.rise_time )

                  ELSE ev.rise_time

              END

          AS endTime,

          CASE

              WHEN ev.registration_time is not NULL

                  THEN DATEADD(hour,DATEDIFF(hour,GETUTCDATE(),GETDATE()),ev.registration_time )

                  ELSE ev.registration_time

              END

          AS kscRegistrationTime,

          cast(ev.par7 as varchar(4000)) as sourceUserName,

          hs.wstrWinName as dHost,

          hs.wstrWinDomain as strNtDom, serv.wstrWinName As kscName,

              CAST(hs.nIp / 256 / 256 / 256 % 256 AS VARCHAR) + '.' +

          CAST(hs.nIp / 256 / 256 % 256 AS VARCHAR) + '.' +

          CAST(hs.nIp / 256 % 256 AS VARCHAR) + '.' +

          CAST(hs.nIp % 256 AS VARCHAR) AS sourceAddress,

          serv.wstrWinDomain as kscNtDomain,

              CAST(serv.nIp / 256 / 256 / 256 % 256 AS VARCHAR) + '.' +

          CAST(serv.nIp / 256 / 256 % 256 AS VARCHAR) + '.' +

          CAST(serv.nIp / 256 % 256 AS VARCHAR) + '.' +

          CAST(serv.nIp % 256 AS VARCHAR) AS kscIP,

          CASE

          WHEN virus.tmVirusFoundTime is not NULL

                  THEN DATEADD(hour,DATEDIFF(hour,GETUTCDATE(),GETDATE()),virus.tmVirusFoundTime )

                  ELSE ev.registration_time

              END

          AS virusTime,

          virus.wstrObject As filePath,

          virus.wstrVirusName as virusName,

          virus.result_ev as result

      FROM KAV.dbo.ev_event as ev

      LEFT JOIN KAV.dbo.v_akpub_host as hs ON ev.nHostId = hs.nId

      INNER JOIN KAV.dbo.v_akpub_host As serv ON serv.nId = 1

      Left Join KAV.dbo.rpt_viract_index as Virus on ev.event_id = virus.nEventVirus

      where registration_time >= DATEADD(minute, -191, GetDate())

   3. Place the cursor in the URL field and in the displayed list, click in the line of the secret that you are using.
   4. This opens the Secret window; in that window, in the URL field, specify the server connection address in the following format:

      sqlserver://user:password@kscdb.example.com:1433/database

      where:

      • user—user account with public and db_datareader rights to the required database.
      • password—user account password.
      • kscdb.example.com:1433—address and port of the database server.
      • database—name of the Open Single Management Platform database. 'KAV' by default.

      Click Save.

   5. In the Create connector window, in the Connection section, in the Query field, replace the 'KAV' database name with the name of the Open Single Management Platform database you are using.

      You must do this if you want to use the ID column to which the query refers.

      Click Save.

2. Install the collector in the web interface:
   1. Start the Collector Installation Wizard in one of the following ways:
      • In the web interface of Kaspersky Unified Monitoring and Analysis Platform, in the Resources section, click Add event source.
      • In the web interface of Kaspersky Unified Monitoring and Analysis Platform, in the Resources → Collectors section, click Add collector.
   2. At step 1 of the installation wizard, Connect event sources, specify the collector name and select the tenant.
   3. At step 2 of the installation wizard, Transport, select the copy of the connector that you created at step 1.
   4. At step 3 of the installation wizard, Event parsing, on the Parsing schemes tab, click Add event parsing.
   5. This opens the Basic event parsing window; in that window, on the Normalization scheme tab, select [OOTB] KSC from SQL in the Normalizer drop-down list and click OK.
   6. If necessary, specify the other settings in accordance with your requirements for the collector. For the purpose of importing events, editing settings at the remaining steps of the Installation Wizard is optional.
   7. At step 8 of the installation wizard, Setup validation, click Create and save service.

      The lower part of the window displays the command that you must use to install the collector on the server. Copy this command to the clipboard.

   8. Close the Collector Installation Wizard by clicking Save collector.
3. Install the collector on the server.

   To do so, on the server on which you want to receive Open Single Management Platform events, run the command that you copied to the clipboard after creating the collector in the web interface.

As a result, the collector is installed and can receive events from the SQL database of Open Single Management Platform.

You can view Open Single Management Platform events in the Events section of the web interface.